Dutch watchdog fines Booking.com €475k after it kept customer data thefts quiet for more than 3 weeks The Netherlands Data Protection Authority has fined Booking.com €475,000 for notifying it too late that criminals had accessed the data of 4,109 people who booked a hotel room via the website. The Autoriteit Persoonsgegevens (AP) said criminals managed to extract the login credentials to their Booking.com accounts from …
>What part of the PCI rule "never, ever, store the card verification code" did they not understand?
It is an open secret that Booking.com readily allows hotels to view full cards payment details including CVV a maximum of 3 times for every booking to allow the hotels to force collect payments. Apparently they have to store this data to be able to show it. I am sure all their partnering hotels went through stringent checks as well as all owners, managers, receptionists and hotel staff who has access to hotel's Booking credentials as authorized personnel. I can hardly imagine how criminals can get access to the card data given the security arrangements described above but it only seems to be possible in violation of Booking.com security policies, for example if the hotel employee illegally or criminally uses card data proved by Booking.com, definitely not Booking.com's fault. Surely, the service provider could never be a crime enabler! (/sarcasm off)
This is the main reason I do not book with Booking.com or when I absolutely have to, I use a normally disabled virtual card that is only enabled when needed and also requires my authorization for every online payment. I definitely do not feel safe with my card's data in Booking.com's hands, I am convinced it is not safe there and that Booking.com will neither reimburse me nor accepts any responsibility after my card details are illegally used by the hotel staff who "officially" got them from Booking.com.
I doubt it will stop though unless the fine is at least €475 million. €475k is less than 15 minutes of Booking.com's pre-Covid revenue.
Booking.com's Android app also seems to clandestinely collect and send GPS location after every phone reboot and several times during the day via background location access, in addition to coarse location collected from phone's IP address when calling home. At least it tries to do on my phones; it is easy to check and block on any rooted phone but it is mostly invisible on any stock phone (the proverbial "user care" that the corporates refer to when block their apps from running on rooted phones. Do not anger the user.). I can hardly imagine any legitimate reason under GDPS permitting them to conduct such tracking but they do anyway. I cannot tell about the iOS app but I would imagine it is about the same.
This is the Booking.com's help article confirming that they are keeping full card details incl CVV and show them to "verified" hotels ("verified" like in Booking.com will post a letter to the hotel's stated address with a verification code, you expected something more ... substantial? Ha, naïve!). Of course, virtually all hotels enable "view CVC" as the first step because this feature is specifically designed to hold the "guest"'s card details hostage in case of non-payment. Because the CVV is only shown once, the hotels simply print out this page as BAU. Yup, this is your card details on that table. Of course Booking.com is not responsible. Happy Booking!
https://partner.booking.com/en-gb/help/policies-payments/guest-payments/how-can-i-access-guests%E2%80%99-credit-card-details
Booking.com used to provide our corporate travel, and the amount of times *I* had to provide my own card as security despite having the corporate card available on their system was just too much... It was utterly annoying.
They should be fined a damn sight more. And I see it's UAE hotels again that abused the system. Why am I not surprised?
Hotels are a special case where they are able to take money from people without direct authorisation because the guest trashed the room , stole the towels and slippers or used a siphon to empty the bottles in the mini bar without removing them from their place.
This has been known for ages to those who work at hotel desks. When you book a place via their site, they send your name, credit card number and CVV directly to hotels. What hotels do? They most likely print out that information for future reference, I have seen such printouts many times while waiting for the hotel staff to return to their desk. This is a zero security model and it has been running for years.
I have seen such printouts many times while waiting for the hotel staff to return to their desk.
I saw such a pile when checking in to a hotel in Eastbourne a few years ago, I complained to the manager who said that he would do something about it (no idea if he did).
I complained to Nat West credit card services. They were less than interested. In my experience banks talk much more about security than they actually do.
GDPR, unfortunately, allows only one Authority to lead enforcement action for all affected authorities, the one in the territory they claim to be headquartered for the Euro Zone.
For most of the big boys, this is the highly underfunded and politically discouraged DPO of Ireland
"fined for not notifying the affected customers"
Yes, multiple customers at risk of having their cards maxxed out for 22 fricken days!!! Full card details including CVV exposed for those poor suckers.
Hopefully, this is not the end of the story and further fines will be incoming for Booking based on other GDPR violations.
The reason to use these third parties is that it is often cheaper. I've tried to do as you suggested and it just didn't work out.
One nice example: I was staying in a hotel in Frankfurt am Main, Germany and wanted to extend one night. Using the same website as the original booking (not booking.com), I got one price. When I walked up to the desk for a direct booking, I was quoted nearly double. I was a bit surprised about that and learned a certain number of rooms were already sold for a fixed price to that website and the hotel got paid for them whether occupied or not. I ended up booking through the website.
Came here to post the very same comment - happened to me a few years ago in Switzerland that Booking.com had reserved a fixed number of rooms at price CHF x whereas the hotel's going rate was CHF x + quite a bit more. I ended up booking through Booking.com. Back then they used to have warnings like "only 2 rooms left!" displayed in red warning letters on the website.
Which is because Booking.com forces hotels into a seedy rate parity (price fixing) agreement which prohibits the hotel to offer lower prices via any other sales channel than on Booking.com (despite Booking.com charging 15% base commission plus more for promotion). The hotels do not have much choice because Booking.com brings more than 50% of traffic. This agreement was dropped or partially dropped in quite a few countries already after local courts ruled rate parity practices as anti-competitive or outright illegal. In the UK too, from 2019.
unfortunately, only 4% turnover of their "Undertaking," but the undertaking is the parent company and all subsidiaries (see Spanish DPO vs Google)
Booking Holdings Inc.
headquartered in Norwalk, Connecticut, U.S.
2019 turnover $15.066 billion
so they got off lightly - $602 million would be their max fine
I did several contracts at large travel agencies, and what Muppet Boss describes in several posts above is standard practice across the industry. The agencies have a lot of leverage with the hotels since most people book through them, so the agencies dictate pretty onerous terms. However, booking.com have forced a race to the bottom for most of their competitors who were too slow to get in on this Internet thing twenty plus years ago. The result is an industry with complex, obsolete systems and small margins that limit their resources. The irony is that booking.com are reputed to be running on a mess of spaghetti Perl code themselves.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
